I have a new client with a previous Movable Type installation containing a malware problem. After learning that Google was warning potential site visitors of a problem when they would enter the site in a search query, we noticed that once you hit the home page, IE7 would warn that the site was attempting to download "outlook.exe." Although there is obviously an "outlook.exe" in every Microsoft Outlook installation, I did a little research and apparently the worm Mimail.Q uses the syntax "outlook.exe" as a cloak to enter one's system and spread spam via the Outlook address book.

The hosting company was able to determine that MT's index.php file contained a link to the malware at the end of the file. My question is: do any of you have experience resolving this type of issue? If it was malware on my system, I would just attempt to remove it via SpyBot, Ad-Aware, etc. However, how about on a remote server? Although I regularly create and update index.html files, I'm unfamiliar with the index.php file - where it comes from, how it's created, how to edit it, implications for MT if I attempt to edit it/remove it, etc. etc.

The hosting company states that I can see the malware at the end of the index.php file, and "can see it under the <IFRAME> tag." Now I don't know why the hosting company can't just edit the file (my client spoke to them), but I assume it's a privacy issue.

I'm assuming at this point I'll try downloading the index.php file to my system, remove the data within the <IFRAME> tags, save it and ftp it back to the site server, but I wanted to check and see if anyone here had dealt with a similar issue first.

Thanks for any input!

If you view the Index Templates listed within the Movable Type application, and select the template which has the Output File 'index.php', and view that template, is the <iframe> code contained directly in the template? If yes, is the template linked to a file?

Or is the iframe code found in the published index.php file on the server?